12 steps to safer online banking

Gone are the days of balancing check books. The advent of online banking has made budget-keeping and bill-paying a convenient, if not automatic, transaction for adults managing their finances.

Which is why it’s a prime target for cybercriminals.

According to a recent study by Fiserv, 80 percent of U.S. households now do their banking online. The sheer number of customers is a likely attraction for threat actors. But what makes online bankers irresistible prey is that a breach results in direct access to their money—no need to bother with a ransom. That’s probably why more than 25 percent of malicious activity online is aimed at financial institutions.

From social engineering scams to spear phishing, there’s no method crooks won’t try to get to your money. The most common techniques center on fooling you into a sense of security by pretending to be your bank. Whether that’s in the form of a spear phishing email that copies the logos of your financial institution or spoofing your mobile banking app, criminals have become adept at pulling wool over the eyes of online bankers, who are now accustomed to receiving digital communication from their banks. Smishing, or sending malicious text messages, has been a popular attack method for years, luring customers into entering their login credentials via text.

In 2014, several thousand JP Morgan mobile customers received a text message containing a link to this phony login screen.

With so many susceptibilities in both desktop and mobile online banking, it’s important to not only choose a bank that offers high level protection for your accounts, but also take your own initiative to keep those accounts secure. That’s why we’ve come up with 12 steps for safer online banking.

How banks protect your accounts

The first part of our 12-step program centers on the protections that banks have to offer for their customers. In choosing a financial institution with which to conduct your online banking, look for these top-level security measures. After all, banks have just as much to lose if you get breached.

Two-factor authentication: These days, a strong password is not enough. The safest banks offer multiple-step login processes that require both something you know (a password and/or security questions) and something you have (your phone, which will receive a text message of a second code you’ll need to enter to gain access).

SSL secured websites: On any website where a financial transaction takes place, secure communication is key. Look for the padlock icon to the left of the URL. If it’s there, that means the information passed between your bank’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”

Automatic timeout sessions: Banks that close out your session after a few minutes of inactivity protect you from prying eyes and human error. Better to have to log back in than to have someone swipe your account numbers while you’re on a bathroom break.

Fraud monitoring: Any bank worth trusting with your money should have continuous, real-time monitoring for fraudulent activity such as large withdrawals or purchases made in new locations.

Mobile password protection (fingerprint scanning): A twist on two-factor authentication right out of a spy movie, many mobile banking apps offer fingerprint scanning as an additional method of verification. The safest banking apps also require that phones be password protected if fingerprint scanning is to be used.

How you can protect your accounts

The second part of our 12-step program is all about user education and action. Once you’ve found a bank that can pull out all the online security stops, it’s your turn to step up the game. “The SANs Digital Forensics and Incident Response group published a poster a couple of years ago with the catchphrase, ‘Know Normal…Find Evil.’ This should be the mantra for online and mobile banking users,” says Goldstein. Take these precautionary measures to understand what’s normal communication from your bank, what’s suspicious, and what you can do to ward off malware attacks.

Beware phishing emails and texts. Keep a sharp eye on email and text communications from you bank. Unless absolutely certain of the email or text’s origins, avoid clicking through links, especially if they ask for login or other personal identification information.

Report suspicious activity right away. “One of the most important benefits of Internet and mobile banking is the convenience for users to check balances frequently,” says Goldstein. He recommends customers follow their account activity in order to quickly identify and report abuse. “It’s much easier for banks to research and take action on recent transactions, and it gives you the best leverage to recover any losses.”

Make sure you download the official app of your bank. Whether downloading from Google Play or the App Store, be sure to check reviews, read summaries carefully, and double and triple check who and where the app comes from.

If possible, don’t use a public computer and/or public wifi for banking. If you don’t have Internet access at home, make sure you sign out of your account before closing the browser. And if you’re sitting at a café working on your blog, that’s not the best time to catch up on your bill-paying. Public wifi is much easier to breach than your own password-protected home connection.

Buy a computer just for bills. For those willing and able, purchasing a laptop dedicated only to financial transactions helps limit the potential for infection and breach. That means online banking and bill paying only. No checking email. No surfing the web. No social media. Start up, check accounts, and shut down.

Customize online banking transactions. Take a look at the admin controls of your online banking accounts. Some banks let you limit online transaction capabilities, like international wire transfer. The less you do online (without completely hindering the convenience of online banking), the safer your money is.

Layer your security. The more the merrier. Firewall and antivirus can stop known threats, while anti-malware and anti-exploit cover advanced threats like malvertising and ransomware. And to protect against those malicious mobile banking apps, consider an anti-malware program for your phone.

For the safest online banking experience, it’s best if you live by two credos. One is to know thyself. By keeping an eye on your online accounts and credit score, you can stay on top of abuse. The second is to know thy adversary. “Your bank doesn’t ask you to confirm account details via email or call you for personal information,” says Goldstein. “There is no urgent matter that requires verifying your responses to ‘secret’ questions or sharing the CVV code on the back of the card to prove your identity.” Simply put: if you are asked to share account details in any way—don’t. And if you want to pay it forward, notify your bank’s call center when you receive these suspicious communications. You just might help to protect the next online banker, too.

May 9, 2012 - At Malwarebytes we are a bit obsessed with protecting our users, which causes us to approach our jobs from all sorts of different angles. One of my favorite aspects of this is how we tackle malware right at its source: the servers that deliver it. Our team works around the clock to identify and block...

May 24, 2012 - Back in 2009, I wrote about a telephony based scam that had gained momentum, and which sadly appears to have grown since then — invading other countries and scamming more victims. Since then, various other people, including my friends at Microsoft, have been investigating the companies involved, to try and both raise awareness and shut...

June 29, 2012 - This week, there is a lot of media hype over emails being sent to users of the Royal Bank of Scotland and NatWest because of severe IT issues making it impossible for users to access their accounts online. The emails offer users the ability to log-in to their accounts and provide a link to the...

July 3, 2012 - “Over the years, phishing attacks have changed, as with most things, and have been segmented into different groups of variants.” –Me If there is one thing you can say about cybercriminals, it’s that they are adaptive. As I mentioned last week, phishing attacks have evolved from just fake web pages and official looking emails to...

July 13, 2012 - Over the last few weeks I have described numerous methods of phishing attacks and a few examples what they do or may look like. In this final installment, I will shed some light on how phishing attacks are done and a few real world examples of techniques used by Phishing scammers. Finally, I will discuss...